2018 Predictions It is hard to believe we are coming to the end of another year.  Seems like just yesterday we recorded our 7 Educated Guesses About 2018.  Today we review our 2018 predictions, ummmm, educated guesses for 2018 and see how we did.



HIPAA For MSPs by David Sims 2018 Predictions - How Did We Do?
00:00:00 00:00:00

We aren’t ones to get too bold with predictions but it still matters to us, of course, to feel like we see what is around us and prepare for the future.  There is no way either one of us can do something like this and not feel competitive about it.  It is just not our Donna’s nature.  So, let’s see how we did.

  1. OCR will start making some announcements about settlements dealing with breaches from 2015 and later – up until now they have mostly announced resolutions for 2014 cases and earlier.
    • It didn’t start out that way.  There was a lull without much happening but then, boom, big things were announced.  We even mentioned Anthem.  The OCR has made it clear that they will be focusing on enforcement in the next year.  That means things are going to get very interesting.
    • MD Anderson, Anthem, TV filming, and more were announced to make it a record-breaking year for enforcement income.  The number of settlements wasn’t shabby either.
    • There may still be more to close out the year.  Either way, I think we were spot on with this one.
  2. Ransomware (digital extortion) will continue to wreak havoc.
    • We started January with Sam Sam attacking several healthcare entities including Allscripts.
    • There hasn’t been a slow down in healthcare.  Several reports point out that there has been a drop in the attacks.  The attacks have become more targeted.
  3. GDPR will ripple across the pond
    • It is happening as we speak.  Multiple bills have been passed around DC but nothing has stuck yet.  Who knows if that will get passed but it is out there.
    • The states have passed long lists of new bills relating to privacy and data breach notifications.
    • Ohio has passed a new safe harbor law that is very interesting. It allows companies to use an affirmative defense in lawsuits after data breaches.  You aren’t immune but if you can prove you were meeting these requirements things will go much better for you.
      • To take advantage of Ohio’s safe harbor, a business must put in place a cybersecurity program that satisfies three requirements:
        1. The program must be designed to protect the security and confidentiality of personal information;
        2. It must protect against any anticipated threats or hazards to the security or integrity of personal information; and,
        3. It must protect against unauthorized access to and acquisition of personal information.
      • It is not required for businesses to do anything but if they do it needs to meet standards,
        1. As a benchmark, the statute says that an organization’s cybersecurity plan must “reasonably conform” to one of the following cybersecurity frameworks including NIST, the Federal Risk and Authorization Management Program Security Assessment Framework; Center for Internet Security’s Critical Controls for Effective Cyber Defense; or the International Organization’s for Standardization/International Electrotechnical Commission’s 27000 Family – Information Management Systems.
        2. Alternatively, businesses already subject to state or federally mandated requirements may also qualify for the safe harbor if they conform to the security requirements set forth in the Healthcare Insurance Portability and Accountability Act of 1996 or HIPAA; Title V of Gramm-Leach Bliley Act of 1999; the Federal Information Security Modernization Act of 2014 or the Health Information Technology for Economic and Clinical Health Act.
        3. Companies that accept credit card payments must also comply with the Payment Card Industry’s Data Security Standards to qualify for the affirmative defense.
    • California’s laws are the ones many people say are modeled after GDPR.  As of now, HIPAA supersedes those laws.
    • The states have also gotten into fines and penalties this year to put some teeth to their rules.  New Jersey alone has hit some of them pretty hard.
  4. IoT attacks and breaches will make news bringing medical device security to the forefront.
  5. Insiders will make the difference.
  6. New password technologies and options will begin to catch on.
    • Multifactor authentication is a hot topic at most places that we work with at some level.
    • Password managers are finally becoming more common which is an important step before making the MFA/2FA step.  People have to get used to the fact that Security Is Not Convenient.
  7. Communications tools will be under more scrutiny after phishing attacks and unsecured messaging breaches become overwhelming.
    • This one has become much more a concern that many people do not understand.  It seems every day we see another breach announcement involving a compromised employee email account.  We explained that in the episode about BEC EAC the latest threat to your PHI.
    • If you are using email with PHI you really need to visit prediction #6 above ASAP.  If you do not implement a second-factor solution soon you will likely regret at some point in the near future.

We did manage to make some pretty solid educated guesses back in January.  At this point, we still have a few more weeks left in 2018.  If anything our list may prove to be more accurate.  Right now, it is pretty accurate.

Now, the pressure is on to figure out what we want to include on our list for 2019.  That remains to be seen but we are working on it for a January release.